Tellius
  • ๐ŸšฉGetting Started
    • ๐Ÿ‘‹Say Hello to Tellius
      • Glossary
      • Tellius 101
      • Navigating around Tellius
      • Guided tours for quick onboarding
    • โšกQuick Start Guides
      • Search
      • Vizpads (Explore)
      • Insights (Discover)
    • โœ…Best Practices
      • Search
      • Vizpads (Explore)
      • Insights (Discover)
      • Predict
      • Data
    • โฌ‡๏ธInitial Setup
      • Tellius architecture
      • System requirements
      • Installation steps for Tellius
      • Customizing Tellius
    • Universal Search
    • ๐Ÿ Tellius Home Page
  • Kaiya
    • โ™Ÿ๏ธUnderstanding AI Agents & Agentic Flows
      • Glossary
      • Composer
      • ๐Ÿ—๏ธTriggering an agentic workflow
      • The art of possible
      • Setting up LLM for Kaiya
    • ๐ŸคนKaiya conversational AI
      • โ“FAQs on Kaiya Conversations
      • Triggering Insights with "Why" questions
      • Mastering Kaiya conversational AI
  • ๐Ÿ”Search
    • ๐Ÿ‘‹Get familiar with our Search interface
    • ๐Ÿค”Understanding Tellius Search
    • ๐Ÿ“Search Guide
    • ๐Ÿš€Executing a search query
      • Selecting a Business View
      • Typing a search query
      • Constructing effective search queries
      • Marketshare queries
    • ๐Ÿ”‘Analyzing search results
      • Understanding search results
      • Search Inspector
      • Time taken to execute a query
      • Interacting with the resulting chart
    • ๐Ÿ“ŠKnow your charts in Tellius
      • Understanding Tellius charts
      • Variations of a chart type
      • Building charts from Configuration pane
      • List of chart-specific fields
      • Adding columns to fields in Configuration pane
      • Absolute and percentage change aggregations
      • Requirements of charts
      • Switching to another chart
      • Formatting charts
      • Advanced Analytics
      • Cumulative line chart
    • ๐Ÿง‘โ€๐ŸซHelp Tellius learn
    • ๐Ÿ•ต๏ธโ€โ™‚๏ธSearch history
    • ๐ŸŽ™๏ธVoice-driven search
    • ๐Ÿ”ดLive Query mode
  • ๐Ÿ“ˆVizpads (Explore)
    • ๐Ÿ™‹Meet Vizpads!
    • ๐Ÿ‘‹Get familiar with our Vizpads
    • #๏ธโƒฃMeasures, dimensions, date columns
    • โœจCreating Vizpads
    • ๐ŸŒApplying global filters
      • Filters in multi-BV Vizpads
      • Filters using common columns
    • ๐Ÿ“ŒApplying local filters
    • ๐Ÿ“…Date picker in filters
      • Customizing the calendar view
    • โœ…Control filters
      • Multi-select list
      • Single-select list
      • Range slider
      • Dropdown list
    • ๐Ÿ‘๏ธActions in View mode
      • Interacting with the charts
    • ๐Ÿ“Actions in Edit mode
      • ๐Ÿ—จ๏ธViz-level actions
    • ๐Ÿ”งAnomaly management for line charts
      • Instance level
      • Vizpad level
      • Chart level
    • โณTime taken to load a chart
      • Instance level
      • Vizpad level
      • Chart level
    • โ™Ÿ๏ธWorking with sample datasets
    • ๐Ÿ”Swapping Business View of charts
      • Swapping only the current Vizpad
      • Swapping multiple objects
      • Configuring the time of swap
    • ๐Ÿค–Explainable AI charts
  • ๐Ÿ’กInsights (Discover)
    • ๐Ÿ‘‹Get familiar with our Insights
    • โ“Understanding the types of Insights
    • ๐Ÿ•ต๏ธโ€โ™‚๏ธDiscovery Insights
    • โž•How to create new Insights
      • ๐Ÿ”›Creating Discovery Insight
      • ๐Ÿ”‘Creating Key Driver Insights
      • ใ€ฐ๏ธCreating Trend Insights
      • ๐Ÿ‘ฏCreating Comparison Insights
    • ๐ŸงฎThe art of selecting columns for Insights
      • โžก๏ธHow to include/exclude columns?
  • ๐Ÿ”ขData
    • ๐Ÿ‘‹Get familiar with our Data module
    • ๐Ÿฅ‚Connect
    • ๐ŸชนCreate new datasource
      • Connecting to Oracle database
      • Connecting to MySQL database
      • Connecting to MS SQL database
      • Connecting to Postgres SQL database
      • Connecting to Teradata
      • Connecting to Redshift
      • Connecting to Hive
      • Connecting to Azure Blob Storage
      • Connecting to Spark SQL
      • Connecting to generic JDBC
      • Connecting to Salesforce
      • Connecting to Google cloud SQL
        • Connecting to a PostgreSQL cloud SQL instance
        • Connecting to an MSSQL cloud SQL instance
        • Connecting to a MySQL Cloud SQL Instance
      • Connecting to Amazon S3
      • Connecting to Google BigQuery
        • Steps to connect to a Google BigQuery database
      • Connecting to Snowflake
        • OAuth support for Snowflake
        • Integrating Snowflake with Azure AD via OAuth
        • Integrating Snowflake with Okta via OAuth
        • Azure PrivateLink
        • AWS PrivateLink
        • Best practices
      • Connecting to Databricks
      • Connecting to Databricks Delta Lake
      • Connecting to an AlloyDB Cluster
      • Connecting to HDFS
      • Connecting to Looker SQL Interface
      • Loading Excel sheets
      • ๐ŸšงUnderstanding partitioning your data
    • โณTime-to-Live (TTL) and Caching
    • ๐ŸŒทRefreshing a datasource
    • ๐ŸชบManaging your datasets
      • Swapping datasources
    • ๐ŸฃPreparing your datasets
      • ๐ŸคพActions that can be done on a dataset
      • Data Pipeline
      • SQL code snippets
      • โœ๏ธWriteback window
      • ๐ŸงฉEditing Prepare โ†’ Data
      • Handling null or mismatched values
      • Metadata view
      • List of icons and their actions
        • Functions
        • SQL Transform
        • Python Transform
        • Standard Aggregation
        • Creating Hierarchies
      • Dataset Scripting
      • Fusioning your datasets
      • Scheduling refresh for datasets
    • ๐ŸฅPreparing your Business Views
      • ๐ŸŒŸCreate a new Business View
      • Creating calculated columns
      • Creating dynamic parameters
      • Scheduling refresh for Business Views
      • Setting up custom calendars
    • Tellius Engine: Comparison of In-Memory vs. Live Mode
  • Feed
    • ๐Ÿ“ฉWhat is a Feed in Tellius?
    • โ—Alerts on the detection of anomalies
    • ๐Ÿ“ฅViewing and deleting metrics
    • ๐Ÿ–ฒ๏ธTrack a new metric
  • Assistant
    • ๐Ÿ’Introducing Tellius Assistant
    • ๐ŸŽคVoice-based Assistant
    • ๐Ÿ’ฌInteracting with Assistant
    • โ†–๏ธSelecting Business View
  • Embedding Tellius
    • What you should know before embedding
    • Embedding URL
      • ๐Ÿ“ŠEmbedding Vizpads
        • Apply and delete filters
        • Vizpad-related actionTypes
        • Edit, save, and share a Vizpad
        • Keep, remove, drill sections
        • Adding a Viz to a Vizpad
        • Row-level policy filters
      • ๐Ÿ’กEmbedding Insights
        • Creating and Viewing Insights
      • ๐Ÿ”ŽEmbedding Search
        • Search query execution
      • Embedding Assistant
      • ๐Ÿช„Embedding Kaiya
      • Embedding Feed
  • API
    • Insights APIs
    • Search APIs
    • Authentication API (Login API)
  • โœจWhat's New
    • Release 5.4
      • Patch 5.4.0.x
    • Release 5.3
      • Patch 5.3.1
      • Patch 5.3.2
      • Patch 5.3.3
    • Release 5.2
      • Patch 5.2.1
      • Patch 5.2.2
    • Release 5.1
      • Patch 5.1.1
      • Patch 5.1.2
      • Patch 5.1.3
    • Release 5.0
      • Patch 5.0.1
      • Patch 5.0.2
      • Patch 5.0.3
      • Patch 5.0.4
      • Patch 5.0.5
    • Release 4.3 (Fall 2023)
      • Patch 4.3.1
      • Patch 4.3.2
      • Patch 4.3.3
      • Patch 4.3.4
    • Release 4.2
      • Patch 4.2.1
      • Patch 4.2.2
      • Patch 4.2.3
      • Patch 4.2.4
      • Patch 4.2.5
      • Patch 4.2.6
      • Patch 4.2.7
    • Release 4.1
      • Patch 4.1.1
      • Patch 4.1.2
      • Patch 4.1.3
      • Patch 4.1.4
      • Patch 4.1.5
    • Release 4.0
Powered by GitBook

ยฉ 2025 Tellius

On this page
  • What is an AWS PrivateLink?
  • Pre-requisites
  • Steps to follow (on Snowflake side)
  • Steps to follow (On AWS Side)
  • Points to remember
  • Reference

Was this helpful?

Export as PDF
  1. Data
  2. Create new datasource
  3. Connecting to Snowflake

AWS PrivateLink

What is an AWS PrivateLink?

AWS PrivateLink is an AWS service (supported by Snowflake) that allows you to create private VPC (Virtual Private Clouds) endpoints for direct, secure connectivity between your AWS VPCs and the Snowflake VPC without going through the public internet. A maximum of five PrivateLinks can be enabled in your environment. This document outlines the steps to configure Snowflake-AWS PrivateLink.

Pre-requisites

To configure Snowflake-AWS PrivateLink, you must have the following:

  • Access to an AWS account with permissions to create VPC endpoints and DNS Hosted Zones.

  • Access to a Snowflake account with ACCOUNTADMIN permissions.

Steps to follow (on Snowflake side)

  1. Login to your Snowflake account with ACCOUNTADMIN permissions and run the following command, using the federation token output from Step 1 on AWS side. This command authorizes Snowflake to access your AWS resources.

use role accountadmin;
# update 185 with 12-digit identifier of AWS Account
# update second argument with JSON from step 2

select system$authorize_privatelink (
ย ย ย ย '185...',
ย ย ย ย '{
ย ย ย ย ย ย ย "Credentials": 
       {
           "AccessKeyId": "ASI...",
ย ย ย ย ย ย ย    ย "SecretAccessKey": "enw...",
ย ย ย ย ย ย ย ย ย ย ย "SessionToken": "Fwo...",
ย ย ย ย ย ย ย ย ย ย ย "Expiration": "2021-01-07T19:06:23+00:00"
ย ย ย ย ย ย ย },

ย ย ย ย ย ย ย "FederatedUser": {
ย ย ย ย ย ย ย ย ย ย ย "FederatedUserId": "185...:sam",
ย ย ย ย ย ย ย ย ย ย ย "Arn": "arn:aws:sts::185...:federated-user/sam"
ย ย ย ย ย ย ย },
ย ย ย ย ย ย ย "PackedPolicySize": 0
ย ย ย ย }'
ย ย );

2. On the Snowflake worksheet, run and save the output of the following command. It provides the necessary configurations to enable internal stages on Snowflake.

select SYSTEM$GET_PRIVATELINK_CONFIG();

3. Run the following command to enable internal stages on Snowflake and display the configuration settings:

use role accountadmin;
alter account set enable_internal_stages_privatelink = true;
select key, value from table(flatten(input=>parse_json(system$get_privatelink_config())));

Steps to follow (On AWS Side)

Please note that if Tellius is hosting the infrastructure, then the Tellius team will take care of all the following steps. Contact support@tellius.com for further assistance.

  1. Creating a new user needs to be created on AWS with this policy attached via a group.

{
ย ย ย ย "Version": "2012-10-17",
ย ย ย ย "Statement": [
ย ย ย ย ย ย ย ย {
ย ย ย ย ย ย ย ย ย ย ย ย "Sid": "VisualEditor0",
ย ย ย ย ย ย ย ย ย ย ย ย "Effect": "Allow",
ย ย ย ย ย ย ย ย ย ย ย ย "Action": [
ย ย ย ย ย ย ย ย ย ย ย ย ย ย ย ย "sts:GetSessionToken",
ย ย ย ย ย ย ย ย ย ย ย ย ย ย ย ย "sts:GetFederationToken",
ย ย ย ย ย ย ย ย ย ย ย ย ย ย ย ย "sts:GetAccessKeyInfo",
ย ย ย ย ย ย ย ย ย ย ย ย ย ย ย ย "sts:GetCallerIdentity",
ย ย ย ย ย ย ย ย ย ย ย ย ย ย ย ย "sts:GetServiceBearerToken"
ย ย ย ย ย ย ย ย ย ย ย ย ],
ย ย ย ย ย ย ย ย ย ย ย ย "Resource": "*"
ย ย ย ย ย ย ย ย }
ย ย ย ย ]
}

Using the AWS access credentials created for this account, you can set up AWS CLI and then run the following command to retrieve temporary security credentials to authorize Snowflake to access AWS resources.

aws sts get-federation-token --name tellius-sf-01
  1. Create a VPC Endpoint on the AWS console for tunneling PrivateLink endpoints. Enter the resource ID of privatelink-vpce-id from the saved JSON and click verify and create.

  1. Create a private DNS Hosted Zone in AWS Route53 on the same VPC as the Kubernetes cluster/instance. This can be the same as the node groups VPC, subnet, and Security Group.

  1. Add CNAMEs for the URLs printed in the JSON using the following format:

  • Record type: CNAME

  • Name: <repeat n from JSON>

  • Address: <DNS Name of VPC Endpoint from the previous step>

  • TTL: 30 seconds

  1. In the AWS Console, navigate to the EC2 dashboard and click on Security Groups in the left-hand navigation panel.

  2. Click on the Create Security Group button and create a new security group with inbound and outbound rules that allow traffic from the VPC endpoint security group to the appropriate node group of the Kubernetes cluster for ports 80 and 443.

  3. With these steps, you should now have a fully functional Snowflake-AWS PrivateLink environment that allows you to securely access data from Snowflake through a private network connection.

Note that you may need to grant appropriate permissions to users and roles in order to access the new stage. It can be done by using the GRANT command in Snowflake.

Points to remember

  1. Make sure that the security groups of both VPC endpoints contain inbound and outgoing rules to the proper Kubernetes cluster node group for ports 80 and 443.

  2. When creating the VPC endpoint, make sure to select the VPC and subnet where your Kubernetes cluster/instance is running, and also make sure to choose the appropriate security group that allows traffic from the Kubernetes cluster.

  3. When creating the private DNS-hosted zone, make sure to choose the same VPC as the Kubernetes cluster/instance and add CNAME records for all the URLs printed in the JSON output from Step 2.

  4. When creating the VPC endpoint for tunneling PrivateLink endpoints, make sure to select the appropriate resource ID of the endpoint and verify the settings before creating.

  5. Also, note that Snowflake charges additional fees for using PrivateLink, and it is important to review the pricing and billing documentation to understand the costs associated with using this feature.

Reference

The exact steps may vary depending on your specific setup, and it is important to consult the official Snowflake and AWS documentation for detailed instructions and best practices.

PreviousAzure PrivateLinkNextBest practices

Last updated 4 months ago

Was this helpful?

๐Ÿ”ข
๐Ÿชน
https://docs.snowflake.com/en/user-guide/admin-security-privatelink.html#configuring-your-aws-vpc-environment
https://docs.snowflake.com/en/user-guide/private-internal-stages-aws.html
Creating a VPC endpoint
Adding CNAMEs for the URLs